The Trojan adds the following keys to the Windows registry to ensure persistence upon reboot:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

%Userprofile% \Application Data\76ff\GoogleUpdate.exe

Once the computer is compromised, the malware copies its own executable file to %Userprofile%\ Application Data\76ff folder.

The GoogleUpdate.exe is a legitimate Google Update Service that is signed by Google as shown below:

The Malware encrypts the victims files with a strong RSA 2048 encryption algorithm until the victim pays a fee to get them back. When files are
encrypted
they will have the .[victim_id]_luck extension appended to filename.

After encrypting all the personal documents and files it shows the following text file:

Once infected, the victims data is encrypted and given a 72 hour countdown to pay 2.1 bitcoins to the cyber criminals in exchange of the decryption
key that supposedly allows recover of the encrypted files.

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature: